When building APIs for web applications, desktop apps, or mobile applications, authentication is crucial to ensure that only authorized clients can access protected data or functionality. API keys play a vital role in this process, and their verification is essential to prevent unauthorized access. There are two primary approaches to verifying API keys: centralized and decentralized. Centralized verification involves consulting a central authority on every request, while decentralized verification uses signed tokens with public key cryptography to validate the token's contents without communication with the central authority. OAuth standards can be used for both centralized and decentralized authentication. Third-party API clients require specialized authentication requirements, including coarse-grained permissions and scope validation, to ensure secure access to user data. Designing scopes upfront is essential to avoid retrofitting challenges later on. Ultimately, protecting APIs requires careful consideration of authentication mechanisms, including the choice between centralized and decentralized verification, as well as user-based permission management for third-party applications.